# Security ## Reporting Raise a private issue in Forgejo or contact the repo owner directly. ## Credentials - Never commit keytabs, .ccache files, or .env files - all are in .gitignore - The keytab must be stored as a Docker secret only - The service account (dns-updater) should have no other privileges beyond DnsAdmins - Rotate the keytab periodically - see docs/operations.md ## Threat model | Threat | Mitigation | |---|---| | Keytab compromise | Scoped to DnsAdmins only; rotate via samba-tool user setpassword | | Container escape | Runs as nobody; no capabilities; no host mounts beyond the secret | | DNS spoofing | GSS-TSIG: updates are Kerberos-signed and verified by the KDC | | Unauthorised DNS writes | Only the dns-updater principal can authenticate with this keytab | | Traefik API abuse | API is read-only; no writes to Traefik from this service |